[Openid-specs-risc] Working towards a second Implementer's Draft

Tue Dec 1 21:02:41 UTC 2020

[richanna]
Responses inline
[/richanna]

—
Annabelle Backman
richanna at amazon.com<mailto:richanna at amazon.com>

On Dec 1, 2020, at 8:27 AM, Atul Tulshibagwale <atultulshi at google.com<mailto:atultulshi at google.com>> wrote:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

Annabelle,
Thank you for this email. I'd like to clear up possible misunderstandings from your email about the current state of the SSE draft specification here.

  1.  Your email says "CAEP related work is starting to solidify". I'm not sure what you mean there, but please note that the working group has been meeting biweekly (sometimes weekly) to discuss the SSE draft <https://bitbucket.org/openid/risc/src/caep-draft-01/openid-sse-profile-2_0.txt> since May this year, and the WG conducted a virtual workshop<https://drive.google.com/drive/folders/1b-dk6qb9lJ7w56s2VxvD6_sqGpFCG05z?usp=sharing> specifically to review this draft in June. Comments from WG members and iterations of the draft can be viewed in the "spec-draft/archived" folder of the shared drive<https://drive.google.com/drive/folders/1EqDJaDzIXHkE59gGi-yLUhHPr-iTthz4?usp=sharing>. Notes from the biweekly calls are here<https://docs.google.com/document/d/1ZFwJJDwwSBNKX35VObClC1ctMbMMuHJtr5qY-7xsLW8/edit?usp=sharing>, and the June workshop notes are here<https://docs.google.com/document/d/13aBPTFAVLuwIaFzafKe4O-84ILSw95RjLHlj5Ej-l0Q/edit?usp=sharing>. The comments (closed and open) on the archived files<https://drive.google.com/drive/folders/1-GM2Ui4eUIDy-STF4ZzlVQgo55gR-tJ2?usp=sharing> are a good place to understand the discussion so far.

[richanna]
The notes that you linked are pretty sparse, and haven't been shared on the list since August. On last week's call, we discussed the issue of note-taking and the need to appoint someone to take notes for each meeting. There seemed to be general agreement from everyone on the call that we had not been diligent about taking meeting notes, to the point that there was a proposal to switch call platforms to one that provides automatic meeting transcriptions. Are you saying that you think we have been doing an adequate job taking notes and sharing those with the rest of the working group?
[/richanna]

  1.  I'd like to understand the level of interest you see in the current RISC draft spec from outside the working group, as a number of people in the WG have been actively participating in the development of this new draft. BTW the RISC draft also expired a couple of years ago, so I'm not sure what the level of interest is. Since the present draft represents a revision of the previous RISC draft, it's not clear what is to be achieved by creating the pull-requests.

[richanna]
OIDF Implementer's Drafts don't expire; where are you getting the notion that the RISC draft has expired?

I'm not sure what you mean by "revision of the previous RISC draft." If you mean the SSE draft is something like "RISC 2.0" then that is incorrect. We haven't published anything as a Final Specification, so we're still working on 1.0. While we could publish the SSE draft as a separate Implementer's Draft, I think it would be more appropriate and less confusing if we publish a revision of the existing "OpenID RISC Profile of IETF Security Events" Implementer's Draft (with a name change) that incorporates the changes. This reflects the fact that this work is additive to what we've already done with the RISC Profile. I don't think there is anything in that additive work that is specific or complex enough to warrant a separate profile.

My goal with the pull requests is to prompt the working group to review and comment on the changes (see response to #3 below), and integrate those changes into the published draft to provide continuous change history. I think it will also be beneficial for the working group to see unrelated changes broken out separately, as they are much easier to understand that way.
[/richanna]

  1.  In your email you also say that we should "understand the more complicated changes". If you have any questions or concerns about the new draft, please bring them up urgently, as I believe we now have consensus within the WG on the draft. As far as I know there is no outstanding discussion on any aspect of the draft  (except your email below).

[richanna]
I expect that there are members of the working group who haven't given the SSE draft a solid read-through yet. It's not uncommon for people to only start paying close attention when work is about ready to advance to the next stage (i.e., Implementer's Draft in OIDF). Much of the development of these changes has happened off-list and has not been well documented on the list (see response to #1 above). This has also occurred at a time where many are under extraordinary stress and dealing with unprecedented changes in their lives. With all of that in mind I'd feel a lot more comfortable about claiming consensus if we've given the list an explicit prompt to review and comment (via the suggested pull requests). I don't expect there to be much debate, but I expect we'll find at least a couple of tweaks to be made.
[/richanna]

  1.  To clarify the point about "a lot of discussion has happened on the calls and face to face that hasn't made it to the list": All call notes are captured here<https://docs.google.com/document/d/1ZFwJJDwwSBNKX35VObClC1ctMbMMuHJtr5qY-7xsLW8/edit?usp=sharing>, and the various workshop notes are also in the shared drive. We have shared these files periodically on the mailing list. I'm not sure what particular aspects you think are "not well documented"

[richanna]
See response to #1 above.
[/richanna]

  1.  As to the point about "we haven't really established working group consensus": Can you please point to any discussion on the list or in the call notes or workshop notes where you think there's disagreement on important issues relating to the draft?

[richanna]
I cannot point to conversations that haven't had a chance to happen yet. :) It may be that no conversations need to happen, but I don't have confidence in that yet. This is about surfacing "unknown unknowns".
[/richanna]

  1.  Regarding your point about "Is SSE the right name?": This was determined when we re-formed the working group. Is there any new information that makes you believe this is not relevant or current anymore?

[richanna]
My question isn't about the working group's name, but about the draft's name. Is it really a generic "Shared Signals & Events" profile, or is it particular to RISC and CAEP use cases? I think it's generic enough, but I think it's worth asking the question.
[/richanna]

It's great to see you being present in the working group now, I look forward to your active participation in this WG from here on forward.

Thanks,
Atul

On Tue, Nov 24, 2020 at 3:08 PM Richard Backman, Annabelle via Openid-specs-risc <openid-specs-risc at lists.openid.net<mailto:openid-specs-risc at lists.openid.net>> wrote:
Hello SSE Working Group,

Now that the CAEP-related work in starting to solidify, I think it appropriate to merge changes into the existing RISC Profile document, in order to establish continuity between the current Implementer's Draft and what will hopefully soon be the new Implementer's Draft.

I have scanned through the diff between the two documents, and while there are a number of changes, I think they can be merged in pretty cleanly. Most of the changes are additive, and there is little to no drastic rewriting or reordering of sections, or other mutations that would make for a messy merge process. However, I recommend we break the changes down into several pull requests, along these lines:

  1.  Replace core Subject Identifier Type definition with reference to draft
  2.  Minor editorial corrections
  3.  Renaming (e.g., "RISC" to "SSE", or something else?)
  4.  New Subject Identifier Types
  5.  Stream Updated event
  6.  Small-scope normative changes, taken individually, e.g.,:
     *   Stream Updated event
     *   Change to meaning of missing "verified" property in an Add Subject request
     *   202 responses
  7.  Everything related to SPAGs

This will let us clear through the simple changes quickly, and make it easier to understand the more complicated ones. This will also give us an opportunity to surface the more significant changes to the list. I think a lot of discussion as happened on calls and face-to-faces (back when we could have those) that hasn't made it to the list, which means it isn't well documented and we haven't really established working group consensus.

I think most of these will be non-controversial, but there are a few items that we may want to poke at. (e.g., is SSE the right name for this?)

—
Annabelle Backman
richanna at amazon.com<mailto:richanna at amazon.com>

_______________________________________________
Openid-specs-risc mailing list
Openid-specs-risc at lists.openid.net<mailto:Openid-specs-risc at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-risc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20201201/dbda31f1/attachment-0001.html>